[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] wintcpmod.exe Hear of it?

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] wintcpmod.exe Hear of it?
From: Michael Holstein <michael.holstein@xxxxxxxxxxx>
Date: Fri, 06 May 2005 13:09:09 -0400

Probably a <flavor_of_the_month>bot variant. Run it by Norman's sandbox and see what shakes out.

http://sandbox.norman.no/live_4.html

Try to Un-[upx|rar|zip] it first .. Norman's website dosen't handle programs that are compressed multiple times so well (and bot-kiddies like to do just that to hide them/frustrate us).

Also .. check standard spots in the registry to see if it's set to run on startup (HKLM/Software/Microsoft/Windows/CurrentVersion/Run and RunServices).

As mentioned in another post, http://www.virustotal.com is another good spot to run it through.

Seeing the same file in those two places is fairly common bot behavior .. they want to ensure they get it at least one place that's in the $PATH.

If all else fails, a VMware guest (with Ethereal on the host O/S) is your friend.

Cheers,

Michael Holstein CISSP GCIA
Cleveland State Univeristy

Dan Bambach wrote:

I noticed today that a program wintcpmod.exe, located in two places on my hard drive, windows\system and windows\system32 was attempting to access port 53. My firewall blocked it and sent an alert. I am on the road, so I have not had time to fully investigate this yet, but a Google search produced very little about this program. It sets a registry key for local machine “run”, and can be seen on the process screen. It does not appear in the services list. I was able to kill it, but in my Google search, someone has claimed that they were unable to kill the process. I am running WinXP SPk2 fully patched, and Symantec AntiVirus, ZoneAlarmPro. Microsoft AntiSpyware does not report anything.
Has anyone else seen this program?
Dan Bambach
Dan@xxxxxxxxxxxx <mailto:Dan@xxxxxxxxxxxx>
------------------------------------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] wintcpmod.exe Hear of it?
  - From: Dan Bambach

Prev by Date: [Full-disclosure] MDKSA-2005:082 - Updated OpenOffice.org packages fix heap overflow vulnerability
Next by Date: [Full-disclosure] [ GLSA 200505-03 ] Ethereal: Numerous vulnerabilities
Previous by thread: [Full-disclosure] wintcpmod.exe Hear of it?
Next by thread: RE: [Full-disclosure] wintcpmod.exe Hear of it?
Index(es):
- Date
- Thread